What is a Business Associate?
What is a Business Associate?
A business associate (BA) under HIPAA is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity, or provides services to a covered entity that involve access to PHI. Business associates are directly subject to certain HIPAA requirements and must sign a Business Associate Agreement (BAA) with each covered entity they serve.
Common examples of business associates
Many types of organizations qualify as business associates:
- Cloud service providers — hosting companies that store ePHI (such as AWS, Azure, or Google Cloud when used for health data)
- IT service providers — managed service providers, consultants, or contractors with access to systems containing PHI
- SaaS vendors — software platforms that process, store, or transmit PHI (EHR systems, telehealth platforms, billing software)
- Billing and coding companies — organizations that process claims or handle billing data containing PHI
- Legal and accounting firms — when their work involves reviewing or handling PHI
- Data analytics firms — companies that analyze health data on behalf of covered entities
- Shredding and destruction companies — vendors that dispose of physical or electronic media containing PHI
Business associate obligations
The HITECH Act extended direct liability to business associates for certain HIPAA requirements. Business associates must:
- Implement safeguards — maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the PHI they handle
- Report breaches — notify the covered entity of any breach of unsecured PHI without unreasonable delay, and no later than 60 days after discovery
- Comply with the Security Rule — business associates are directly subject to HIPAA Security Rule requirements
- Limit PHI use — use and disclose PHI only as permitted by the BAA or as required by law
- Manage subcontractors — ensure that any subcontractors with access to PHI also sign BAAs and comply with HIPAA requirements
Subcontractor business associates
A business associate that engages its own subcontractors who will handle PHI must enter into BAAs with those subcontractors. This creates a chain of accountability:
- The covered entity signs a BAA with the business associate
- The business associate signs a BAA with its subcontractor
- The subcontractor has the same obligations as the business associate regarding PHI protection
This chain ensures that PHI is protected at every level, regardless of how many vendors are involved.
Penalties for noncompliance
Business associates face the same penalties as covered entities for HIPAA violations:
- Civil penalties ranging from $100 to $50,000 per violation
- Annual caps of $1.5 million per violation category
- Criminal penalties for knowing violations, including fines up to $250,000 and imprisonment
- OCR enforcement actions, corrective action plans, and resolution agreements
Several high-profile enforcement actions have targeted business associates directly, demonstrating that HHS holds business associates accountable independent of the covered entities they serve.
How to determine if you are a business associate
Ask these questions:
- Does your organization handle PHI on behalf of a covered entity or another business associate?
- Do your services involve creating, receiving, maintaining, or transmitting PHI?
- Do you have access to systems or data that contain PHI?
If any answer is yes, your organization is likely a business associate and must comply with HIPAA requirements and maintain appropriate BAAs.
How episki helps
episki helps business associates build and maintain their HIPAA compliance programs by providing pre-built control frameworks, evidence collection workflows, and BAA management. The platform demonstrates compliance to covered entity customers and streamlines security questionnaire responses. Learn more on our HIPAA compliance page.
